In 2016, SonicWall detected a 600% growth in ransomware families. We saw a wide range of ransomware forms and attack vectors in the 2017 Annual Threat Report; some successful, others not so much. So, what is at the core of any successful attack? If you understand the seven components of a ransomware campaign strategy, you can better defend yourself from one of the most pernicious forms of malware in history.

1. Intelligent target research

Any good scammer knows how to find the right people in an organization to target with the right message. Hackers know that municipal and healthcare are a ripe choice. Even though organizations are providing awareness education, people still click on cleverly created social media posts and emails. In addition to this, hackers can go to any public lead generation database and find the right set of victims for a phishing campaign.

2. Effective delivery

Since 65 percent of ransomware attacks happen through email, a scammer can easily send that infected attachment to someone in accounts payable claiming it is an unpaid invoice. A similar attack brought BWL of Lansing, Michigan to its knees for two weeks and cost the utility provider around $2.4M USD. Secondly, developing sensationally titled social media posts with a farfetched photo are great at funneling people to infected web destinations, which make up roughly 35 percent of successful attacks.

3. Good code

Because companies are bolstering their security strategy, attackers should focus on ways of circumventing this. First, aggressive hackers update their code frequently to get past signature-based counter-measures. Second, the code should have several built-in evasion tactics to sneak past advanced defenses such as network sandboxes. Cerber’s code provides a great example for other attackers to model. Malicious code authors are hoping the target does not deploy a multi-engine sandbox like SonicWall Capture Advanced Threat Protection, which is much more difficult to evade. Third, the code should worm from system to system to create as much havoc as possible and therefore increase the potential payoff.

4. Great understanding for infected systems

Any good hacker will know what he/she has infected and thereby ask for an appropriate ransom. Endpoints such as a laptop are worth $1K, servers $5K and critical infrastructure as high as hundreds of thousands of dollars. Hackers hope that their targets do not have segmented networks so they can infect multiple systems within a single attack. They also rely on inconsistent backups for a higher customer conversion rate.

5. Patience & persistence

In order for organizations to stay safe from an effective attack, they have to be right all the time. For the attackers, they have to be right just once. Although awareness, security, and consistent backups are the essential ingredients to ransomware defense, they are not perfect. This is why good hackers keep trying, repackaging code into different delivery mechanisms and exploit kits.

6. Good customer support

The best ransomware variants have good customer support channels. Attackers use them to negotiate with victims and assure them that they will get their data back if they pay.

7. Good payment management

Although other ransomware variants have used other forms of payment, bitcoin is still the best choice. Bitcoin is easier to obtain and exchange, so ransomware attacks have a higher payout ratio against consumers with infected endpoints. To mitigate bitcoin wallet compromise, hackers will rotate the associated email address with a specific wallet, which also pressures victims to pay quicker.

I hope that you will be able to read these notes to understand what is in the mind of an attacker possibly targeting your industry or organization. Use these tips to develop a good anti-ransomware and malware strategy. For more information, please watch this webcast Securing Your Organization from Ransomware.

Brook handles all product marketing responsibilities for SonicWall security services and serves as SonicWall’s ransomware star. Fascinated in the growth of consumer internet, Brook dabbled in grey-hat hacking in the mid to late 90’s while also working and volunteering in many non-profit organizations. After spending the better part of a decade adventuring and supporting organizations around the globe, he ventured into the evolving world of storage and security. He serves humanity by teaching security best practices, promoting and developing technology.